fix(open-xchange): Improve ingress and serviceMonitor

## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)

### Bug Fixes

* **ci:** Complete CI var usage for external registry ([3bcdcd0](3bcdcd06b7))
* **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](250ef2bc3f))
* **collabora:** Add chart validation ([0159902](01599022f1))
* **collabora:** Bump to 23.05.9.1.1 ([b525a81](b525a814fc))
* **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](6f0b1f37fc))
* **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](bc7eeb8c9d))
* **docs:** Add generated security-context.md ([d9e07ff](d9e07ff7bd))
* **element:** Change name of neodatefix bot job ([dd535da](dd535daac0))
* **element:** Disable e2ee ([ba0824b](ba0824bac3))
* **helmfile:** Add additional provisioning components and configuration ([110ff56](110ff56f74))
* **helmfile:** Add seLinuxOptions for all applications ([02d04fa](02d04faa2a))
* **helmfile:** Annotations in image.yaml ([7ebbd03](7ebbd03bdc))
* **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](d2b1f0b07b))
* **helmfile:** Fix annotations in images.yaml ([acaec3b](acaec3b8ac))
* **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](8f83261986))
* **helmfile:** Improve debugging ([56f5e35](56f5e35895))
* **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](f2b8acfba8))
* **nextcloud:** Set backchannel logout url ([c0fc225](c0fc225349))
* **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](fd2a66f8f2))
* **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](5d95e7ab2a))
* **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](7c9f38f06e))
* **open-xchange:** Bump Gotenberg image ([49f126d](49f126d169))
* **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](1396071865))
* **openproject:** Bump version to 13.3.0 ([c2087ef](c2087efcf9))
* **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](ee1a337ab5))
* **univention-management-stack:** Patches not applied to uldap ([2909e1d](2909e1d821))
* **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](83ac645fae))
* **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](c16c0ac795))
* **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](6c15dc1d66))
* **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](affa92cde2))
* **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](cabee0c9da))

.gitlab-ci.yml

@@ -8,6 +8,7 @@ include:
       - "ci/common/automr.yml"
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
+  - local: "/.gitlab/generate/generate-docs.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
     rules:
@@ -209,8 +210,8 @@ env-start:
       kubectl create secret
       --namespace "${NAMESPACE}"
       docker-registry external-registry
-      --docker-server "external-registry.souvap-univention.de"
-      --docker-username sovereign-workplace
+      --docker-server "${EXTERNAL_REGISTRY}"
+      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
       --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
       --dry-run=client -o yaml | kubectl apply -f -
   stage: "env"
@@ -612,7 +613,8 @@ release:
               "CHANGELOG.md",
               "charts/**/README.md",
               "helmfile/environments/default/global.generated.yaml",
-              ".kyverno/kyverno-test.yaml"
+              ".kyverno/kyverno-test.yaml",
+              "docs"
             ],
             "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
           }]
@@ -622,4 +624,5 @@ release:
     - "semantic-release"
   needs:
     - "generate-release-assets"
+    - "generate-docs"
 ...

.gitlab/common/common.yml

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+variables:
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
+    @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
+    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
+
+.common:
+  cache: {}
+  needs: []
+  tags:
+    - "docker"
+...

.gitlab/generate/generate-common.yml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/common/common.yml"
+
+.generate-common:
+  extends: ".common"
+  stage: ".post"
+  tags: []
+...

.gitlab/generate/generate-docs.yml

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/generate/generate-common.yml"
+
+generate-docs:
+  cache:
+    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
+      paths:
+        - "${CI_PROJECT_DIR}/docs"
+      policy: "push"
+  extends: ".generate-common"
+  image: "${OPENDESK_CI_CLI_IMAGE}"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "on_success"
+  script:
+    - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
+...

.gitlab/lint/lint-common.yml

@@ -1,17 +1,11 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
-    @sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
-    @sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
+include:
+  - local: "/.gitlab/common/common.yml"
 
 .lint-common:
-  cache: {}
-  needs: []
+  extends: ".common"
   stage: "lint"
-  tags:
-    - "docker"
 
 ...

.gitlab/lint/lint-kyverno.yml

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -27,7 +27,7 @@ lint-kyverno:
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
     - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
+    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
     - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
     - "cd ${CI_PROJECT_DIR}/.kyverno"
     - "kyverno test ."

.kyverno/_apps.yaml

@@ -1,279 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-pod:
-  - resource: "mariadb"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "postgresql"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "clamav-simple"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "redis-master"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "ums-store-dav"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-ldap-server"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-ldap-notifier"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-portal-listener"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-selfservice-listener"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-provisioning-nats"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-guardian-management-api"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-guardian-management-ui"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-guardian-authorization-api"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-open-policy-agent"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "open-xchange-core-mw-default"
-    kind: "StatefulSet"
-    app: "open-xchange"
-  - resource: "jitsi-prosody"
-    kind: "StatefulSet"
-    app: "jitsi"
-  - resource: "opendesk-synapse"
-    kind: "StatefulSet"
-    app: "element"
-  - resource: "xwiki"
-    kind: "StatefulSet"
-    app: "xwiki"
-  - resource: "ox-connector"
-    kind: "StatefulSet"
-    app: "provisioning"
-  - resource: "minio"
-    kind: "Deployment"
-    app: "services"
-  - resource: "cryptpad"
-    kind: "Deployment"
-    app: "cryptpad"
-  - resource: "memcached"
-    kind: "Deployment"
-    app: "services"
-  - resource: "postfix"
-    kind: "Deployment"
-    app: "services"
-  - resource: "ums-keycloak"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-stack-gateway"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-udm-rest-api"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-portal-server"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-notifications-api"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-portal-frontend"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-umc-gateway"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-umc-server"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-provisioning-nats-box"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-keycloak-extensions-handler"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-keycloak-extensions-proxy"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "intercom-service"
-    kind: "Deployment"
-    app: "intercom-service"
-  - resource: "dovecot"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-documentconverter"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-guidedtours"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-imageconverter"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-gotenberg"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-ui-middleware"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-ui-middleware-updater"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-user-guide"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-guard-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-nextcloud-integration-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-public-sector-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "opendesk-nextcloud-apache2"
-    kind: "Deployment"
-    app: "nextcloud"
-  - resource: "opendesk-nextcloud-exporter"
-    kind: "Deployment"
-    app: "nextcloud"
-  - resource: "opendesk-nextcloud-php"
-    kind: "Deployment"
-    app: "nextcloud"
-  - resource: "collabora"
-    kind: "Deployment"
-    app: "collabora"
-  - resource: "jitsi-jibri"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-jicofo"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-jvb"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-web"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-opendesk-jitsi-keycloak-adapter"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "opendesk-element"
-    kind: "Deployment"
-    app: "element"
-  - resource: "opendesk-well-known"
-    kind: "Deployment"
-    app: "element"
-  - resource: "opendesk-synapse-web"
-    kind: "Deployment"
-    app: "element"
-  - resource: "opendesk-matrix-user-verification-service"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neoboard-widget"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neochoice-widget"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neodatefix-widget"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neodatefix-bot"
-    kind: "Deployment"
-    app: "element"
-  - resource: "openproject-web"
-    kind: "Deployment"
-    app: "openproject"
-  - resource: "openproject-worker"
-    kind: "Deployment"
-    app: "openproject"
-  - resource: "mariadb-bootstrap"
-    kind: "Job"
-    app: "services"
-  - resource: "postgresql-bootstrap"
-    kind: "Job"
-    app: "services"
-  - resource: "minio-provisioning"
-    kind: "Job"
-    app: "services"
-  - resource: "ums-stack-data-ums-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "ums-stack-data-swp-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "ums-keycloak-bootstrap-bootstrap-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "opendesk-keycloak-bootstrap-bootstrap-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "opendesk-open-xchange-bootstrap"
-    kind: "Job"
-    app: "open-xchange"
-  - resource: "opendesk-nextcloud-management-1"
-    kind: "Job"
-    app: "nextcloud"
-  - resource: "jitsi-opendesk-jitsi"
-    kind: "Job"
-    app: "jitsi"
-  - resource: "opendesk-matrix-user-verification-service-bootstrap"
-    kind: "Job"
-    app: "element"
-  - resource: "matrix-neodatefix-bot-bootstrap"
-    kind: "Job"
-    app: "element"
-  - resource: "opendesk-openproject-bootstrap-bootstrap-1"
-    kind: "Job"
-    app: "openproject-bootstrap"
-#  # Has timestamp in resource name - not supported yet.
-#  - resource: "openproject-seeder-*"
-#    kind: "Job"
-#  - resource: "ums-store-dav-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-udm-rest-api-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-portal-server-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-notifications-api-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-portal-frontend-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-provisioning-nats-test-request-reply"
-#    kind: "Pod"
-#  - resource: "ums-provisioning-provisioning-api-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-core-guidedtours-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-gotenberg-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-core-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-core-user-guide-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-guard-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-nextcloud-integration-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-public-sector-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "jitsi-prosody-test-connection"
-#    kind: "Pod"
-#  - resource: "jitsi-web-test-connection"
-#    kind: "Pod"
-#  - resource: "openproject-test-connection"
-#    kind: "Pod"
-...

.kyverno/policies/_policies.yaml

@@ -5,51 +5,164 @@ pod:
   - name: "require-tag-and-digest"
     rule: "require-tag-and-digest"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "disallow-default-serviceaccount"
     rule: "require-sa"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-imagepullsecrets"
     rule: "require-imagepullsecrets"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "disallow-latest-tag"
     rule: "validate-image-tag"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-imagepullpolicy-always"
     rule: "require-imagepullpolicy-always"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-health-and-liveness-check"
     rule: "require-health-and-liveness-check"
     type: "required"
-    excludeKinds:
-      - "Job"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-storage"
+    rule: "require-storageclass-pvc"
+    type: "required"
+    kinds:
+      - "PersistentVolumeClaim"
+  - name: "require-storage"
+    rule: "require-storageclass-pod"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+  - name: "require-storage"
+    rule: "require-storage-size-pvc"
+    type: "required"
+    kinds:
+      - "PersistentVolumeClaim"
+  - name: "require-storage"
+    rule: "require-storage-size-pod"
+    type: "required"
+    kinds:
+      - "StatefulSet"
   - name: "require-requests-limits"
     rule: "validate-resources"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "restrict-image-registries"
     rule: "validate-registries"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-ro-rootfs"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-no-privilege-escalation"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-all-capabilities-dropped"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-no-privileged"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-run-as-user"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-run-as-group"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-seccomp-profile"
     type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-run-as-non-root"
     type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
 ...

.kyverno/policies/require-storage.yaml

@@ -0,0 +1,61 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-storage"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "StatefulSet"
+      name: "require-storageclass-pod"
+      validate:
+        message: "VolumeClaims inside pods need to have storageClass set when templated."
+        pattern:
+          spec:
+            (volumeClaimTemplates):
+              - spec:
+                  storageClassName: "kyverno-test"
+    - match:
+        resources:
+          kinds:
+            - "PersistentVolumeClaim"
+      name: "require-storageclass-pvc"
+      validate:
+        message: "Persistent Volume Claim need to have storageClassName set when templated."
+        pattern:
+          spec:
+            storageClassName: "kyverno-test"
+
+    - match:
+        resources:
+          kinds:
+            - "StatefulSet"
+      name: "require-storage-size-pod"
+      validate:
+        message: "VolumeClaims inside pods need to have storageClass set when templated."
+        pattern:
+          spec:
+            (volumeClaimTemplates):
+              - spec:
+                  resources:
+                    requests:
+                      storage: "42Gi"
+    - match:
+        resources:
+          kinds:
+            - "PersistentVolumeClaim"
+      name: "require-storage-size-pvc"
+      validate:
+        message: "Persistent Volume Claim need to have storageClassName set when templated."
+        pattern:
+          spec:
+            resources:
+              requests:
+                storage: "42Gi"
+  validationFailureAction: "audit"
+...

CHANGELOG.md

@@ -1,3 +1,40 @@
+## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)
+
+
+### Bug Fixes
+
+* **ci:** Complete CI var usage for external registry ([3bcdcd0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3bcdcd06b7c4829686f11b8f065ec38829b5a5a6))
+* **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/250ef2bc3fe9047b49b236b606ec3e3fa28e13ce))
+* **collabora:** Add chart validation ([0159902](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01599022f14d447dfdadf390ca9e8e29668dfb07))
+* **collabora:** Bump to 23.05.9.1.1 ([b525a81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b525a814fc25867c068579d5cbd8d1a993144519))
+* **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6f0b1f37fc06c40bf537dbaed60f314341211e41))
+* **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc7eeb8c9d3dd19f625d6f7ba94b15eb4b782d20))
+* **docs:** Add generated security-context.md ([d9e07ff](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9e07ff7bd0e8be090f4fe2c370fa9978c22dfd5))
+* **element:** Change name of neodatefix bot job ([dd535da](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dd535daac0bb0e602eefa45e8dc448fd07fbdd33))
+* **element:** Disable e2ee ([ba0824b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ba0824bac30ae1fc43458bdc8c09a143076e874c))
+* **helmfile:** Add additional provisioning components and configuration ([110ff56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/110ff56f7487e7ac89b1b75c8c63d04e1c2a41c0))
+* **helmfile:** Add seLinuxOptions for all applications ([02d04fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02d04faa2a8d8a0b3bfc179cc8efb3fec086bc70))
+* **helmfile:** Annotations in image.yaml ([7ebbd03](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ebbd03bdcb11abf4e459035c459b74adf8cfcda))
+* **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d2b1f0b07b5ebe4b98b2dc29b916857e28ce5706))
+* **helmfile:** Fix annotations in images.yaml ([acaec3b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/acaec3b8ac6e0ecd58167fca874cd56caa15fa98))
+* **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8f832619864504eaa04945a9a79d6790d2ab8a48))
+* **helmfile:** Improve debugging ([56f5e35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56f5e35895c712440c1a7d249be672c86fc34eeb))
+* **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2b8acfba85d384ed425779fa52133935e553e86))
+* **nextcloud:** Set backchannel logout url ([c0fc225](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0fc225349794034feea1d0c05b29068b9a455af))
+* **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd2a66f8f2a987aa71872122267f29aee3d5f22a))
+* **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d95e7ab2a71097d8c6231bff8c3a6aa3b6f163a))
+* **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7c9f38f06e1f0d000992ecdfd77921d6fc28015c))
+* **open-xchange:** Bump Gotenberg image ([49f126d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/49f126d169759b3e9dd130101e64892822750d7b))
+* **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/139607186549f7a9a129023f1f72aff82cf36460))
+* **openproject:** Bump version to 13.3.0 ([c2087ef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2087efcf95bf2eef19556ba1a1d26b7807021c4))
+* **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee1a337ab5dea7001045860eb6a5bee1dfc84219))
+* **univention-management-stack:** Patches not applied to uldap ([2909e1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2909e1d821397797244d7c11c0935a3bbc902bb1))
+* **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83ac645faec748e773dd7940ca0ca1102bd6dff3))
+* **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c16c0ac7955e64254214d7129ae70d5dd8808743))
+* **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6c15dc1d668623ddd95090e321d1bb268e681db5))
+* **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/affa92cde2caa175707f8ae0e8d4adedbdceb608))
+* **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cabee0c9da3a32e180931b3bd490ba8f83aadb79))
+
 ## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)
 
 

README.md

@@ -5,65 +5,59 @@ SPDX-License-Identifier: Apache-2.0
 
 <h1>openDesk Deployment Automation</h1>
 
-openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
-Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
-
-It features:
-- Fully integrated Identity Management (Univention)
-- File storage (Nextcloud)
-- Weboffice (Collabora)
-- Videoconference (Nordeck w/ Jitsi)
-- Chat and Collaboration (Element w/ Nordeck)
-- Groupware (OX Appsuite)
-- Wiki (XWiki)
-- Project Management (OpenProject)
-- Notes and Diagrams (Cryptpad)
-
-openDesk integrates these components and is working towards a seamless user experience.
-
-While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
-align the applications with the best practises regarding container design and operations.
-
-This documentation aims to give you all that is needed to set up your own instance of the openDesk.
-Basic knowledge of Kubernetes and Devops is required though.
-
 <!-- TOC -->
-* [Active development notice](#active-development-notice)
-* [Feedback](#feedback)
+* [Overview](#overview)
+* [Disclaimer](#disclaimer)
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
 * [Releases](#releases)
 * [Components](#components)
+* [Feedback](#feedback)
 * [License](#license)
 * [Copyright](#copyright)
 <!-- TOC -->
 
-# Active development notice
+# Overview
+
+openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
+Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
+
+openDesk currently features the following functional main components:
+
+| Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
+| -------------------- | --------------------------- | --------------------- | ----------------- |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
+| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
+| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
+| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
+| Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
+| Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
+| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
+| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
+
+While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
+align the applications with best practises regarding container design and operations.
+
+This documentation aims to give you all that is needed to set up your own instance of the openDesk.
+
+Basic knowledge of Kubernetes and DevOps processes is required though.
+
+# Disclaimer
+
 openDesk will face breaking changes in the near future without upgrade paths before
 [technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.
 
 While most components support upgrades, major configuration or component changes may occur, therefore we recommend
-at the moment always installing from scratch.
+from scratch installations for now.
 
-Components that are going to be replaced soon are:
-- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
-- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
+In the next months, we not only expect to integrate upstream updates of the functional components to include their
+most recent feature and security sets, but also to address operational topics like scalability for the openDesk
+platform.
 
-In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
-are also going to address operational issues like monitoring and network policies.
-
-Of course, further development also includes enhancing the documentation.
-
-# Feedback
-
-We love to get feedback from you!
-Related to the deployment / contents of this repository,
-please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
-
-If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+Of course, further development also includes enhancing the documentation itself.
 
 # Requirements
 
@@ -93,16 +87,26 @@ The following release artefacts are provided beside the default source code asse
 - `chart-index.json`: An overview of all Helm charts used by the release.
 - `image-index.json`: An overview of all container images used by the release.
 
-⟶ Visit out detailed [Workflow](./docs/workflow.md) docs.
+⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
 
 # Components
 
 ⟶ Visit our detailed [Component](./docs/components.md) docs.
 
+# Feedback
+
+We love to get feedback from you!
+
+Related to the deployment / contents of this repository,
+please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
+
+If you want to address other topics, please check the section
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 
 # License
 
 This project uses the following license: Apache-2.0
 
 # Copyright
-Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+
+Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"

docs/components.md

@@ -58,12 +58,14 @@ Some use cases require inter component integration.
 ```mermaid
 flowchart TD
   OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
+  Element-->|CentralNavigation|IntercomService
   IntercomService-->|SilentLogin, TokenExchange|IdP
   IntercomService-->|Filepicker|Nextcloud
   IntercomService-->|CentralNavigation|Portal
   OXAppSuiteBackend-->|Filepicker|Nextcloud
   Nextcloud-->|CentralNavigation|Portal
   OpenProject-->|CentralNavigation|Portal
+  OpenProject-->|Filestore|Nextcloud
   XWiki-->|CentralNavigation|Portal
   Nextcloud-->|CentralContacts|OXAppSuiteBackend
   OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
@@ -124,7 +126,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    X[XWiki]-->|in 2023|L
+    X[XWiki]-->L
     A-->K
     N-->K
     D-->K

docs/debugging.md

@@ -0,0 +1,83 @@
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+<h1>Debugging</h1>
+
+* [Disclaimer](#disclaimer)
+* [Enable debugging](#enable-debugging)
+* [Components](#components)
+  * [MariaDB](#mariadb)
+  * [Nextcloud](#nextcloud)
+  * [OpenProject](#openproject)
+  * [PostgreSQL](#postgresql)
+
+# Disclaimer
+
+This document collects information how to deal with debugging an openDesk deployment.
+
+It will be extended over time as we have to deal with debugging cases.
+
+We for sure do not want to reinvent the wheel, so we might link to external sources that contain helpful
+information where available.
+
+**Note:** You should never enable debug in production environments! By looking up `debug.enable` in the deployment you
+will find the various places changes are applied when enabling debugging. So outside of development and test
+environments you may want to make use of them in a very thoughtful and selective manner if needed.
+
+# Enable debugging
+
+Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
+component's loglevel to debug and it get some features like:
+- The `/admin` console is routed for Keycloak.
+- An ingress for `http://minio-console.<your_domain>` is configured.
+and set the loglevel for components to "Debug".
+
+**Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
+
+# Components
+
+## MariaDB
+
+When using the openDesk bundled MariaDB you can explore database(s) using the MariaDB interactive terminal from the pod's command line: `mariadb -u root -p`. As password provide the value for `MARIADB_ROOT_PASSWORD` set in the pod's environment.
+
+While you will find all details for the CLI tool in [the online documentation](https://mariadb.com/kb/en/mariadb-command-line-client/), some quick commands are:
+
+- `help`: Get help on the psql command set
+- `show databases`: Lists all databases
+- `use <databasename>`: Connect to `<databasename>`
+- `show tables`: Lists tables within the currently connected database
+- `quit`: Quit the client
+
+## Nextcloud
+
+`occ` is the CLI for Nextcloud, all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
+
+You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+
+## OpenProject
+
+OpenProject is a Ruby on Rails application. Therefore you can make use of the Rails console from the pod's command line `bundle exec rails console`
+
+and run debug code like this:
+
+```
+uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
+Net::HTTP.start(uri.host, uri.port,
+  :use_ssl => uri.scheme == 'https') do |http|
+  request = Net::HTTP::Get.new uri
+  response = http.request request # Net::HTTPResponse object
+end
+```
+
+## PostgreSQL
+
+When using the openDesk bundled PostgreSQL you can explore database(s) using the PostgreSQL interactive terminal from the pod's command line: `psql -U postgres`.
+
+While you will find all details in the [psql subsection](https://www.postgresql.org/docs/current/app-psql.html)) of the PostgreSQL documentation, some quick commands are:
+
+- `\?`: Get help on the psql command set
+- `\l`: Lists all databases
+- `\c <databasename>`: Connect to `<databasename>`
+- `\dt`: List (describe) tables within the currently connected database
+- `\q`: Quit the client

docs/getting-started.md

@@ -356,17 +356,12 @@ by your specified subdomain.
 # Replace with your namespace
 NAMESPACE=your-namespace
 
-# Get credentials from ConfigMap
-kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
-  | yq '.properties.username,.properties.password'
-# default.user
-# 40615..............................e9e2f
-# ---
-# default.admin
-# bdbbb..............................04db6
+# Get ConfigMap with credentials
+kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}'
 ```
 
-Now you can log in with obtained credentials:
+Renders you a two part ConfigMap where the `username` and `password` attributes in the `properties`
+section provide you with the desired information to login with the two default user roles:
 
 | Username        | Password                                   | Description      |
 |-----------------|--------------------------------------------|------------------|

docs/monitoring.md

@@ -66,7 +66,8 @@ grafana:
 
 # Components
 
-| Component | Metrics (pod- or serviceMonitor)  | Alerts (prometheusRule) | Dashboard (Grafana) |
-|:----------|-----------------------------------|-------------------------|---------------------|
-| Collabora | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |
-| Nextcloud | :white_check_mark:                | :x:                     | :x:                 |
+| Component    | Metrics (pod- or serviceMonitor)  | Alerts (prometheusRule) | Dashboard (Grafana) |
+|:-------------|-----------------------------------|-------------------------|---------------------|
+| Collabora    | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |
+| Nextcloud    | :white_check_mark:                | :x:                     | :x:                 |
+| Open-Xchange | :white_check_mark:                | :x:                     | :x:                 |

docs/security-context.md

@@ -0,0 +1,227 @@
+<!--
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+<h1>Kubernetes Security Context</h1>
+
+* [Container Security Context](#container-security-context)
+  * [allowPrivilegeEscalation](#allowprivilegeescalation)
+  * [capabilities](#capabilities)
+  * [privileged](#privileged)
+  * [runAsUser](#runasuser)
+  * [runAsGroup](#runasgroup)
+  * [seccompProfile](#seccompprofile)
+  * [readOnlyRootFilesystem](#readonlyrootfilesystem)
+  * [runAsNonRoot](#runasnonroot)
+* [Status quo](#status-quo)
+
+# Container Security Context
+
+
+The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
+
+## allowPrivilegeEscalation
+
+
+Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
+
+```yaml
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+```
+
+## capabilities
+
+
+Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
+
+
+**Optimal:**
+
+```yaml
+containerSecurityContext:
+  capabilities:
+    drop:
+      - "ALL"
+```
+
+
+**Allowed:**
+
+```yaml
+containerSecurityContext:
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "NET_BIND_SERVICE"
+```
+
+## privileged
+
+
+Privileged Pods disable most security mechanisms and must be disallowed.
+
+```yaml
+containerSecurityContext:
+  privileged: false
+```
+
+## runAsUser
+
+
+Containers should set a user id >= 1000 and never use 0 (root) as user.
+
+```yaml
+containerSecurityContext:
+  runAsUser: 1000
+```
+
+## runAsGroup
+
+
+Containers should set a group id >= 1000 and never use 0 (root) as user.
+
+```yaml
+containerSecurityContext:
+  runAsGroup: 1000
+```
+
+## seccompProfile
+
+
+Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+
+```yaml
+containerSecurityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+```
+
+
+or
+
+```yaml
+containerSecurityContext:
+  seccompProfile:
+    type: "Localhost"
+```
+
+## readOnlyRootFilesystem
+
+
+Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+
+```yaml
+containerSecurityContext:
+  readOnlyRootFilesystem: true
+```
+
+## runAsNonRoot
+
+
+Containers must be required to run as non-root users.
+
+```yaml
+containerSecurityContext:
+  runAsNonRoot: true
+```
+
+# Status quo
+
+
+openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+
+
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+
+
+This list gives you an overview of templated security settings and if they comply with security standards:
+
+
+ - **yes**: Value is set to `true`
+ - **no**: Value is set to `false`
+ - **n/a**: No explicitly templated in openDesk and default is used.
+
+| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
+| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
+| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
+| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
+| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
+| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
+| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
+| **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
+
+
+This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)

docs/security.md

@@ -15,89 +15,21 @@ This document should cover the current status of security measurements.
 
 # Helm Chart Trust Chain
 
-Helm charts are signed and validated against GPG keys which could be found in `helmfile/files/gpg-pubkeys`.
+Helm charts are signed and validated against GPG keys which can be found in `helmfile/files/gpg-pubkeys`.
 
-All charts except these are verifiable:
+For more details on Chart validation please visit: https://helm.sh/docs/topics/provenance/
+
+All charts except the ones mentioned below are verifiable:
 
 | Repository        | Verifiable |
 |-------------------|:----------:|
-| collabora-repo    |     no     |
 | open-xchange-repo |     no     |
 
 # Kubernetes Security Enforcements
 
 This list gives you an overview of default security settings and if they comply with security standards:
 
-
-| Component                   | Process                       |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV                      | clamd                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | freshclam                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | icap                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | milter                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| Collabora                   | collabora                     |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| CryptPad                    | cryptpad                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
-| Dovecot                     | dovecot                       |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
-| Element                     | element                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|                             | synapse                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
-|                             | synapseWeb                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|                             | wellKnown                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-| IntercomService             | intercom-service              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Jitsi                       | jibri                         |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | jicofo                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | jitsiKeycloakAdapter          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
-|                             | jvb                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | prosody                       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | web                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| MariaDB                     | mariadb                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Memcached                   | memcached                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
-| Minio                       | minio                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Nextcloud                   | opendesk-nextcloud-apache2    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-cron       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-exporter   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-management |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-php        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-| Open-Xchange                | core-documentconverter        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
-|                             | core-guidedtours              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-imageconverter           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
-|                             | core-mw-default               |        :x:         |                :x:                 |                                                                      :x:                                                                       |                :x:                |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | core-ui                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-ui-middleware            | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-ui-middleware-updater    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-user-guide               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | gotenberg                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | guard-ui                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | nextlcoud-integration-ui      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | public-sector-ui              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-| OpenProject                 | openproject                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | opendeskOpenprojectBootstrap  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Postfix                     | postfix                       |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
-| PostgreSQL                  | postgresql                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Redis                       | redis                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
-| Univention Management Stack | guardian-authorization-api    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | guardian-management-api       |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | guardian-management-ui        |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | keycloak                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | keycloak-bootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | keycloak-extension-handler    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | keycloak-extension-proxy      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | ldap-notifier                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | ldap-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | notifications-api             |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | opendesk-keycloak-bootstrap   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | open-policy-agent             |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | portal-frontend               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | portal-listener               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | portal-server                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | provisioning-api              |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | selfservice-listener          |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | stack-gateway                 | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|                             | store-dav                     |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | udm-rest-api                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | umc-gateway                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | umc-server                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| XWiki                       | xwiki                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | xwiki initContainers          |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
 
 # NetworkPolicies
 

helmfile/apps/collabora/helmfile.yaml

@@ -8,6 +8,8 @@ repositories:
   # Collabora Online
   # Source: https://github.com/CollaboraOnline/online
   - name: "collabora-online-repo"
+    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
+    verify: {{ .Values.charts.collabora.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true

helmfile/apps/collabora/values.yaml.gotmpl

@@ -126,7 +126,7 @@ securityContext:
       - "NET_RAW"
       - "SYS_CHROOT"
       - "MKNOD"
-
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
 serviceAccount:
   create: true
 ...

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -63,12 +63,14 @@ securityContext:
   capabilities:
     drop:
       - "ALL"
+  privileged: false
   seccompProfile:
     type: "RuntimeDefault"
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 4001
   runAsGroup: 4001
+  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
 
 serviceAccount:
   create: true

helmfile/apps/element/values-element.yaml.gotmpl

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
+  endToEndEncryption: false
   additionalConfiguration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
 
@@ -109,6 +110,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -14,6 +14,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -14,6 +14,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -21,4 +21,20 @@ image:
   tag: {{ .Values.images.synapseCreateUser.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
+fullnameOverride: "matrix-neodatefix-bot-bootstrap"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+
 ...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -35,6 +35,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
 
 extraEnvVars:
   - name: "ACCESS_TOKEN"
@@ -42,6 +43,8 @@ extraEnvVars:
       secretKeyRef:
         name: "matrix-neodatefix-bot-account"
         key: "access_token"
+  - name: "ENABLE_CRYPTO"
+    value: "false"
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -18,6 +18,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -35,4 +35,5 @@ securityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
 ...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -8,13 +8,13 @@ containerSecurityContext:
       - "ALL"
   enabled: true
   privileged: false
-  # TODO: the service can't run with read only filesystem or as non-root
-  # readOnlyRootFilesystem: true
-  # runAsGroup: 101
-  # runAsNonRoot: true
-  # runAsUser: 101
+  readOnlyRootFilesystem: false
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
 
 extraEnvVars:
   - name: "UVS_ACCESS_TOKEN"

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -14,6 +14,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -76,8 +76,10 @@ containerSecurityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 10991
+  runAsGroup: 10991
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -18,6 +18,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -7,12 +7,14 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
+  privileged: false
   runAsUser: 1000
   runAsGroup: 1000
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -14,6 +14,7 @@ containerSecurityContext:
   allowPrivilegeEscalation: false
   enabled: true
   readOnlyRootFilesystem: true
+  privileged: false
   capabilities:
     drop:
       - "ALL"
@@ -22,6 +23,7 @@ containerSecurityContext:
   runAsUser: 1993
   runAsGroup: 1993
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -63,8 +65,17 @@ jitsi:
     resources:
       {{ .Values.resources.jitsi | toYaml | nindent 6 }}
     securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      enabled: true
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -102,8 +113,17 @@ jitsi:
       size: {{ .Values.persistence.size.prosody | quote }}
       storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
     securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      enabled: true
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
@@ -115,8 +135,17 @@ jitsi:
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}
     securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      enabled: true
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
@@ -129,8 +158,17 @@ jitsi:
     service:
       type: {{ .Values.cluster.service.type | quote }}
     securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      enabled: true
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
@@ -143,8 +181,9 @@ jitsi:
     resources:
       {{ .Values.resources.jibri | toYaml | nindent 6 }}
     securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
+      # Chart does not allow to template more
+      capabilities:
+        add: ["SYS_ADMIN"]
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
@@ -156,10 +195,18 @@ patchJVB:
     loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
     enabled: true
+    privileged: false
     readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
     seccompProfile:
       type: "RuntimeDefault"
+    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -14,6 +14,9 @@ global:
 additionalAnnotations:
   intents.otterize.com/service-name: "opendesk-nextcloud-php"
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 configuration:
   administrator:
     username: "nextcloud"
@@ -77,12 +80,17 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
+  privileged: false
   runAsUser: 65532
   runAsGroup: 65532
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
+
+debug:
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
@@ -95,4 +103,5 @@ theme:
 
 resources:
   {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
+
 ...

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -18,12 +18,14 @@ exporter:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
     repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -69,12 +71,18 @@ php:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
+  cron:
+    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
+  debug:
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
     repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -103,12 +111,14 @@ apache2:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
   ingress:
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -66,6 +66,7 @@ containerSecurityContext:
   readOnlyRootFilesystem: true
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
 
 podSecurityContext:
   enabled: true

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -32,12 +32,15 @@ nextcloud-integration-ui:
     capabilities:
       drop:
         - "ALL"
-    readOnlyRootFilesystem: true
+    privileged: false
+    readOnlyRootFilesystem: false
     runAsGroup: 1000
     runAsNonRoot: true
     runAsUser: 1000
+    privileged: false
     seccompProfile:
       type: "RuntimeDefault"
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
 
 public-sector-ui:
   image:
@@ -56,12 +59,15 @@ public-sector-ui:
     capabilities:
       drop:
         - "ALL"
+    privileged: false
     readOnlyRootFilesystem: true
     runAsGroup: 1000
     runAsNonRoot: true
     runAsUser: 1000
+    privileged: false
     seccompProfile:
       type: "RuntimeDefault"
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
 
 appsuite:
   appsuite-toolkit:
@@ -81,6 +87,13 @@ appsuite:
       dav:
         hosts:
           - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  extras:
+    monitoring:
+      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      serviceMonitor:
+        additionalLabels:
+          {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 10 }}
+
   core-mw:
     enabled: true
     asConfig:
@@ -121,8 +134,11 @@ appsuite:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1001
+        runAsGroup: 1001
+        privileged: false
         seccompProfile:
           type: "RuntimeDefault"
+        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
     hooks:
       beforeAppsuiteStart:
         create-guard-dir.sh: |
@@ -344,8 +360,10 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
 
   core-ui-middleware:
     enabled: true
@@ -384,9 +402,10 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
   core-cacheservice:
     enabled: false
 
@@ -400,23 +419,23 @@ appsuite:
       registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
-    podSecurityContext:
+    resources:
+      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
+    securityContext:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 987
       seccompProfile:
         type: "RuntimeDefault"
-    resources:
-      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
-    securityContext:
-      # missing:
-      # readOnlyRootFilesystem: true
+      readOnlyRootFilesystem: false
       allowPrivilegeEscalation: false
+      privileged: false
       capabilities:
         drop:
           - "ALL"
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
 
   core-documents-collaboration:
     enabled: false
@@ -455,8 +474,10 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
 
   core-imageconverter:
     enabled: true
@@ -470,23 +491,23 @@ appsuite:
           endpoint: "."
           accessKey: "."
           secretKey: "."
-    podSecurityContext:
+    resources:
+      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
+    securityContext:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 987
       seccompProfile:
         type: "RuntimeDefault"
-    resources:
-      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
-    securityContext:
-      # missing:
-      # readOnlyRootFilesystem: true
+      readOnlyRootFilesystem: false
       allowPrivilegeEscalation: false
+      privileged: false
       capabilities:
         drop:
           - "ALL"
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
 
   guard-ui:
     enabled: true
@@ -509,9 +530,10 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
   core-spellcheck:
     enabled: false
 
@@ -537,6 +559,8 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
 ...

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -38,6 +38,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -9,6 +9,7 @@ global:
 
 containerSecurityContext:
   enabled: true
+  privileged: false
   runAsUser: 1000
   runAsGroup: 1000
   allowPrivilegeEscalation: false
@@ -19,11 +20,12 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
 
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ .Values.debug.logLevel | lower | quote }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -17,10 +17,10 @@ ingress:
 
 oxConnector:
   caCert: "ucctempldapstring"
-  debugLevel: "5"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ .Values.debug.logLevel | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
@@ -79,6 +79,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
 
 serviceAccount:
   create: true

helmfile/apps/services/values-clamav-distributed.yaml.gotmpl

@@ -8,12 +8,14 @@ clamd:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 100
     runAsGroup: 101
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
     repository: {{ .Values.images.clamd.repository | quote }}
@@ -31,6 +33,15 @@ containerSecurityContext:
   allowPrivilegeEscalation: false
   enabled: true
   readOnlyRootFilesystem: true
+  runAsUser: 0
+  runAsGroup: 0
+  seccompProfile:
+    type: "RuntimeDefault"
+  runAsNonRoot: false
+  capabilities:
+    drop: []
+  privileged: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
 
 freshclam:
   containerSecurityContext:
@@ -39,12 +50,14 @@ freshclam:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 100
     runAsGroup: 101
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
     repository: {{ .Values.images.freshclam.repository | quote }}
@@ -71,10 +84,12 @@ icap:
     enabled: true
     runAsUser: 100
     runAsGroup: 101
+    privileged: false
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
     repository: {{ .Values.images.icap.repository | quote }}
@@ -97,10 +112,12 @@ milter:
     enabled: true
     runAsUser: 100
     runAsGroup: 101
+    privileged: false
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
     repository: {{ .Values.images.milter.repository | quote }}

helmfile/apps/services/values-clamav-simple.yaml.gotmpl

@@ -7,10 +7,14 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
+  privileged: false
   runAsUser: 100
   runAsGroup: 101
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -17,6 +17,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-memcached.yaml.gotmpl

@@ -7,11 +7,14 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
+  privileged: false
   runAsUser: 1001
+  runAsGroup: 1001
   runAsNonRoot: true
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -24,9 +24,12 @@ containerSecurityContext:
       - "ALL"
   privileged: false
   runAsUser: 1000
+  runAsGroup: 0
   runAsNonRoot: true
+  readOnlyRootFilesystem: false
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
 
 defaultBuckets: "openproject,openxchange,ums,nextcloud"
 
@@ -40,6 +43,7 @@ image:
   tag: "{{ .Values.images.minio.tag }}"
   pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+{{- if .Values.debug.enabled }}
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   ingressClassName: {{ .Values.ingress.ingressClassName }}
@@ -50,6 +54,7 @@ ingress:
       secretName: "{{ .Values.ingress.tls.secretName }}"
   annotations:
     nginx.org/websocket-services: "minio"
+{{- end }}
 
 livenessProbe:
   enabled: true
@@ -80,6 +85,8 @@ provisioning:
   enabled: true
   cleanupAfterFinished:
     enabled: true
+  extraCommands:
+    - "mc anonymous set download provisioning/ums/portal-assets"
   buckets:
     - name: "openproject"
       versioning: true
@@ -87,8 +94,8 @@ provisioning:
     - name: "openxchange"
       versioning: true
       withLock: false
-    - name: "ums"
-      versioning: true
+    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} 
+      versioning: false
       withLock: false
     - name: "nextcloud"
       versioning: true
@@ -155,7 +162,7 @@ provisioning:
       policies:
         - "openxchange-bucket-policy"
       setPolicies: true
-    - username: "ums_user"
+    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
       password: {{ .Values.secrets.minio.umsUser | quote }}
       disabled: false
       policies:

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -14,6 +14,10 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
   runAsNonRoot: false
+  runAsUser: 0
+  runAsGroup: 0
+  privileged: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
 
 global:
   imagePullSecrets:
@@ -27,7 +31,7 @@ image:
 
 persistence:
   size: {{ .Values.persistence.size.postfix | quote }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 podSecurityContext:
   enabled: true

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -14,6 +14,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
 
 job:
 

helmfile/apps/services/values-redis.yaml.gotmpl

@@ -19,6 +19,7 @@ image:
 
 master:
   containerSecurityContext:
+    privileged: false
     readOnlyRootFilesystem: true
     runAsUser: 1001
     runAsGroup: 1001
@@ -29,6 +30,7 @@ master:
     capabilities:
       drop:
         - "ALL"
+    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
   count: {{ .Values.replicas.redis }}
   persistence:
     size: {{ .Values.persistence.size.redis | quote }}

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -34,13 +34,6 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
-  - name: "ums-store-dav-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsStoreDav.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
   - name: "ums-ldap-server-repo"
     keyring: "../../files/gpg-pubkeys/univention-de.gpg"
     verify: {{ .Values.charts.umsLdapServer.verify }}
@@ -219,15 +212,6 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
-  - name: "ums-store-dav"
-    chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
-    version: "{{ .Values.charts.umsStoreDav.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-store-dav.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
   - name: "ums-ldap-server"
     chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
     version: "{{ .Values.charts.umsLdapServer.version }}"

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -7,7 +7,7 @@ guardianAuthorizationApi:
   guardianAuthzAdapterAppPersistencePort: "udm_data"
   guardianAuthzAdapterPolicyPort: "opa"
   guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   guardianAuthzLoggingStructured: false
   guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   home: "/guardian_service_dir"
@@ -51,5 +51,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
 
 ...

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -16,7 +16,7 @@ guardianManagementApi:
   guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
   guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
   guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: "DEBUG"
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   guardianManagementLoggingStructured: false
   guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   guardianManagementBaseUrl: "http://0.0.0.0:8000"
@@ -69,5 +69,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
 
 ...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl

@@ -42,5 +42,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
 
 ...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl

@@ -22,6 +22,12 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
 
 volumes:
   claims:

helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl

@@ -45,11 +45,11 @@ ldapServer:
   ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
 
 persistence:
-  data:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  sharedData:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  shared:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  sharedRun:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
 
 securityContext:
@@ -72,6 +72,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
 
 service:
   type: "ClusterIP"

helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl

@@ -40,5 +40,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
 
 ...

helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl

@@ -42,5 +42,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
 
 ...

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -195,7 +195,7 @@ config:
         authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         protocolMappers:
           - name: "context"
@@ -597,6 +597,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
 
 podAnnotations:
   intents.otterize.com/service-name: "ums-keycloak-bootstrap"

helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl

@@ -106,5 +106,9 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
-
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
 ...

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -23,8 +23,8 @@ persistence:
 
 portalListener:
   adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
+  assetsRootPath: "portal-assets"
+  ucsInternalPath: "portal-data"
 
   ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}
@@ -35,12 +35,16 @@ portalListener:
   portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"
-  debugLevel: "4"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   tlsMode: "off"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"
   umcGetUrl: "http://ums-umc-server/get"
   umcSessionUrl: "http://ums-umc-server/get/session-info"
+  objectStorageEndpoint: "http://minio:9000"
+  objectStorageBucket: "ums"
+  objectStorageAccessKeyId: "ums_user"
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
 
 resources:
   {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
@@ -71,5 +75,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
 
 ...

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -16,9 +16,13 @@ portalServer:
   editable: "false"
   umcGetUrl: "http://ums-umc-server/get"
   umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ .Values.debug.logLevel | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
+  ucsInternalPath: "portal-data"
+  objectStorageEndpoint: "http://minio:9000"
+  objectStorageBucket: "ums"
+  objectStorageAccessKeyId: "ums_user"
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
   centralNavigation:
     enabled: true
     authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
@@ -46,5 +50,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
 
 ...

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -3,15 +3,110 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
-  repository: {{ .Values.images.umsProvisioning.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsProvisioning.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
+
+dispatcher:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
+
+events-and-consumer-api:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  rootPath: "/univention/provisioning-api"
+  ingress:
+    # copied from values-common.yaml.gotmpl
+    # Intentionally not using the Ingress configuration of the UMS stack at the
+    # moment, since it does depend on rewriting capabilities of the ingress
+    # controller. Those are encapsulated into the release "stack-gateway" so that
+    # the compatibility with all ingress controllers is increased.
+    enabled: false
+    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
+
+udm-listener:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  config:
+    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    runAsUser: 0
+    runAsGroup: 0
+    runAsNonRoot: false
+    readOnlyRootFilesystem: false
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
 
 nats:
   global:
@@ -39,19 +134,4 @@ nats:
       registry: {{ .Values.global.imageRegistry }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-
-provisioningApi:
-  rootPath: "/univention/provisioning-api"
-
-resources:
-  {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl

@@ -44,7 +44,7 @@ selfserviceListener:
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: {{ .Values.ldap.notifierHost | quote }}
   umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-  debugLevel: "4"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   tlsMode: "off"
   umcServerUrl: "http://ums-umc-server"
   umcAdminUser: "default.admin"
@@ -69,5 +69,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
 
 ...

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl

@@ -25,6 +25,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
 
 stackDataContext:
   ldapBase: "dc=swp-ldap,dc=internal"

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -25,6 +25,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
 
 stackDataContext:
   idpSamlMetadataUrlInternal: null
@@ -43,7 +48,6 @@ stackDataContext:
   ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
   initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
 
-
 stackDataUms:
   loadDevData: true
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}

helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl

@@ -22,8 +22,9 @@ image:
       {{- end }}
 
 persistence:
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
+  data:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
 
 resources:
   {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
@@ -48,6 +49,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
 
 storeDav:
   auth:

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl

@@ -47,6 +47,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
 
 udmRestApi:
   # TODO: Stub value currently

helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl

@@ -54,5 +54,10 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
 
 ...

helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl

@@ -90,6 +90,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
 
 umcServer:
   certPemFile: "/var/secrets/ssl/tls.crt"

helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl

@@ -60,11 +60,13 @@ containerSecurityContext:
     drop:
       - "ALL"
   readOnlyRootFilesystem: false
+  privileged: false
   runAsGroup: 1000
   runAsNonRoot: true
   runAsUser: 1000
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
 
 podAnnotations:
   intents.otterize.com/service-name: "ums-keycloak-bootstrap"

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -40,9 +40,11 @@ handler:
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
+    privileged: false
     runAsUser: 1000
     runAsGroup: 1000
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
   resources:
     {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
 postgresql:
@@ -59,6 +61,10 @@ proxy:
       nginx.org/proxy-buffer-size: "8k"
       nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
     paths:
+      {{- if .Values.debug.enabled }}
+      - pathType: "Prefix"
+        path: "/admin"
+      {{- end }}
       - pathType: "Prefix"
         path: "/realms"
       - pathType: "Prefix"
@@ -78,10 +84,12 @@ proxy:
         - "ALL"
     seccompProfile:
       type: "RuntimeDefault"
+    privileged: false
     readOnlyRootFilesystem: true
     runAsUser: 1000
     runAsGroup: 1000
     runAsNonRoot: true
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
   resources:
     {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -25,7 +25,7 @@ config:
     user: {{ .Values.databases.keycloak.username | quote }}
     database: {{ .Values.databases.keycloak.name | quote }}
     password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ .Values.debug.logLevel | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   enableMetrics: true
   # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
   # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
@@ -39,10 +39,12 @@ containerSecurityContext:
       - "ALL"
   seccompProfile:
     type: "RuntimeDefault"
+  privileged: false
   readOnlyRootFilesystem: false
   runAsUser: 1000
   runAsGroup: 1000
   runAsNonRoot: true
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
 
 podSecurityContext:
   fsGroup: 1000

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -35,6 +35,7 @@ podSecurityContext:
 containerSecurityContext:
   enabled: true
   runAsUser: 1001
+  runAsGroup: 0
   runAsNonRoot: true
   privileged: false
   readOnlyRootFilesystem: false
@@ -44,6 +45,7 @@ containerSecurityContext:
       - "ALL"
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
 
 service:
   type: "ClusterIP"
@@ -171,22 +173,22 @@ serverBlock: |
     }
 
 
-    ## store-dav
+    ## object storage (minio)
     location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
     }
     location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
     }
     location /univention/selfservice/icons/entries/ {
-      rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
     }
     location /univention/selfservice/icons/logos/ {
-      rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
     }
 
 
@@ -278,10 +280,10 @@ serverBlock: |
       proxy_pass http://ums-portal-frontend:80/;
     }
 
-    ## provisioning-api
+    ## ums-provisioning
     location /univention/provisioning-api/ {
       rewrite ^/univention/provisioning-api(/.*)$ $1 break;
-      proxy_pass http://ums-provisioning-provisioning-api:80;
+      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
     }
 
     ## guardian

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -18,9 +18,15 @@ externalDB:
   customKeyRef:
     enabled: false
 
+
+securityContext:
+  enabled: true
+  fsGroup: 101
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   enabled: true
+  privileged: false
   runAsUser: 100
   runAsGroup: 101
   runAsNonRoot: true
@@ -29,6 +35,8 @@ containerSecurityContext:
       - "ALL"
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
 
 customConfigs:
   xwiki.cfg:
@@ -132,7 +140,7 @@ properties:
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": {{ .Values.theme.colors.white | quote }}
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
   # yamllint disable-line rule:line-length
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": " li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd; height: 64px; } div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd !important; height: 64px;} div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
 
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
@@ -158,12 +166,6 @@ replicaCount: {{ .Values.replicas.xwiki }}
 resources:
   {{ .Values.resources.xwiki | toYaml | nindent 2 }}
 
-securityContext:
-  enabled: true
-  fsGroup: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
 service:
   externalPort: 80
   enabled: true

helmfile/environments/default/charts.yaml

@@ -46,7 +46,8 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.8"
+    version: "1.1.11"
+    verify: true
     # @supplier: "Collabora"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '1', '8']
@@ -59,7 +60,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "cryptpad"
-    version: "0.0.17"
+    version: "0.0.18"
     verify: true
     # @supplier: "XWiki"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -243,7 +244,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "1.3.3"
+    version: "1.5.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -255,7 +256,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "1.3.3"
+    version: "1.5.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -267,7 +268,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "nginx"
-    version: "15.5.1"
+    version: "15.9.3"
     verify: true
     # @supplier: "openDesk"
 
@@ -342,7 +343,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "1.7.0"
+    version: "1.7.3"
     verify: true
     # @supplier: "openDesk"
 
@@ -580,7 +581,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "portal-frontend"
-    version: "0.9.2"
+    version: "0.14.0"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -594,7 +595,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "portal-listener"
-    version: "0.9.2"
+    version: "0.14.0"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -608,7 +609,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "portal-server"
-    version: "0.9.2"
+    version: "0.14.0"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -617,16 +618,16 @@ charts:
   umsProvisioning:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/provisioning-api
+    # upstreamRepository=souvap/tooling/charts/univention/provisioning
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "provisioning-api"
-    version: "0.2.1"
+    name: "provisioning"
+    version: "0.9.5"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '2', '1']
+    # @mirrorFrom: ['0', '9', '5']
 
   umsSelfserviceListener:
     # renovate:
@@ -670,20 +671,6 @@ charts:
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '41', '8']
 
-  umsStoreDav:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/store-dav
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "store-dav"
-    version: "0.9.3"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '3']
-
   umsUdmRestApi:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -734,7 +721,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.2.6"
+    version: "1.3.0"
     verify: false
     # @supplier: "XWiki"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'

helmfile/environments/default/debug.yaml

@@ -11,6 +11,9 @@ cleanup:
   # Keep additional resources, like certificates on deletion of this release.
   keepRessourceOnDelete: true
 debug:
-  # Currently used in: umsKeycloak
-  logLevel: "INFO"
+  # should activate debug output in all components and even allow e.g. successfully executed jobs
+  # to stay available. This is going to be implemented on a case by case basis when we actually
+  # need debugging in a component.
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
+  enabled: false
 ...

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.5.76"
+    releaseVersion: "v0.5.77"
 ...

helmfile/environments/default/images.yaml

@@ -5,22 +5,23 @@ images:
   clamd:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=clamav/clamav
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk"
+
   collabora:
     # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/collabora
+    # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/supplier/collabora/images
     # dependencyType=supplier
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/collabora/images-mirror/collabora"
-    tag: "23.05.6.4.1@sha256:98e2107ba9dc7d69b146d9319473fb42249c5291ef5b570c8bd6eff941564697"
+    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
+    tag: "23.05.9.1.1@sha256:9eeaf2795987d67cf6259f2942ea3318649fdf50beb939c895bef26a4c4dd146"
     # @supplier: "Collabora"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)\.\d+\.\d+$'
-    # @mirrorFrom: ['23', '5', '6']
+
   cryptpad:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -31,20 +32,21 @@ images:
     tag: "opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2"
     # @supplier: "XWiki"
     # @mirrorFilter: '^opendesk-(\d+)$'
+
   dovecot:
     # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/dovecot-public-sector
+    # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/supplier/open-xchange/images/dovecot-public-sector
     # dependencyType=supplier
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/dovecot-public-sector"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images/dovecot-public-sector"
     tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
     # @supplier: "Open-Xchange"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['2', '3', '21']
+
   element:
     # renovate:
     # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
@@ -52,22 +54,27 @@ images:
     # @supplier: "Element"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '8', '0']
+
   freshclam:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=clamav/clamav
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk"
+
   icap:
     # renovate:
     # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/clamav-icap
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/clamav-icap"
     tag: "0.5.10@sha256:891f267a6b2a304616854ad2f013dc5d23f6f6c84d535c8b46e76d124fe39b6a"
     # @supplier: "openDesk"
+
   intercom:
     # renovate:
     # upstreamRegistry=quay.io
@@ -79,6 +86,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '6']
+
   jibri:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -90,6 +98,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^stable-(\d+)$'
     # @mirrorFrom: ['8922']
+
   jicofo:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -101,6 +110,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^stable-(\d+)$'
     # @mirrorFrom: ['8922']
+
   jitsi:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -112,6 +122,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^stable-(\d+)$'
     # @mirrorFrom: ['8922']
+
   jitsiKeycloakAdapter:
     # renovate:
     # upstreamRegistry=ghcr.io
@@ -123,6 +134,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^v(\d\d\d\d)(\d\d)(\d\d)$'
     # @mirrorFrom: ['2023', '12', '14']
+
   jitsiPatchJVB:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -132,6 +144,7 @@ images:
     repository: "bitnami/kubectl"
     tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
     # @supplier: "Nordeck"
+
   jvb:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -143,14 +156,17 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^stable-(\d+)$'
     # @mirrorFrom: ['8922']
+
   mariadb:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=library/mariadb
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "library/mariadb"
     tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
     # @supplier: "openDesk"
+
   matrixNeoBoardWidget:
     # renovate:
     # upstreamRegistry=ghcr.io
@@ -162,6 +178,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '4', '0']
+
   matrixNeoChoiceWidget:
     # renovate:
     # upstreamRegistry=ghcr.io
@@ -173,6 +190,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '4', '0']
+
   matrixNeoDateFixBot:
     # renovate:
     # upstreamRegistry=ghcr.io
@@ -184,6 +202,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['2', '7', '0']
+
   matrixNeoDateFixWidget:
     # renovate:
     # upstreamRegistry=ghcr.io
@@ -195,6 +214,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '6', '0']
+
   matrixUserVerificationService:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -206,70 +226,87 @@ images:
     # @supplier: "Element"
     # @mirrorFilter: '^v(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['3', '0', '0']
+
   memcached:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=bitnami/memcached
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "bitnami/memcached"
     tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
     # @supplier: "openDesk"
+
   milter:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=clamav/clamav
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk"
+
   minio:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=bitnami/minio
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "bitnami/minio"
     tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
     # @supplier: "openDesk"
+
   nextcloudApache2:
     # renovate:
-    # registryUrl=registry.opencode.de
+    # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.7@sha256:f80bb93f0fda83143ebb35dab23dc02127609bed5dfa14bb659fc9ce6ebc6673"
+    tag: "1.1.13@sha256:874567579cbe8604e22caa06e8d5de42c74e41deda2d47bd6b50ab3898dd3dd7"
     # @supplier: "openDesk"
+
   nextcloudExporter:
     # renovate:
     # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
-    tag: "1.0.0@sha256:a05b0f7d7e919320285d2808ebcc20a7b7163204a1001d7d9fb5a97d97194081"
+    tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
     # @supplier: "openDesk"
+
   nextcloudManagement:
     # renovate:
-    # registryUrl=registry.opencode.de
+    # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.0.11@sha256:969bdaaa24ef6091ecb8b63b4fb2f7925fa10eaf46d3997ec74f6414ac373a8d"
+    tag: "1.3.1@sha256:a4b781a6926ca4e7a4c9c58af7a46e93b74364f1fc5c2fd65de2bce17f8efc30"
     # @supplier: "openDesk"
+
   nextcloudPHP:
     # renovate:
-    # registryUrl=registry.opencode.de
+    # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.6.1@sha256:21e8584f10f19b263be76a93df2658e2e845e00548d1b176ee336eb1f0e15a50"
+    tag: "1.8.1@sha256:4ad4a6ce6c8e01e1972fa19aae65b79d43aaf3f51083aa3c4302598fce2046c8"
     # @supplier: "openDesk"
+
   opendeskKeycloakBootstrap:
     # renovate:
     # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
     tag: "1.0.4@sha256:28eebb647180aef95d816a7d788891fa780f552f699c38cedddecbcef7a0bd1d"
     # @supplier: "openDesk"
+
   openproject:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -277,35 +314,41 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "13.2.0@sha256:79e703d814bef918acff626f12b4301818263e4c95f90d889d0b83a06a195675"
+    tag: "13.3.0@sha256:276c20d648d61da94b294b23ced29f65ff7f681fdca5592b6eca400457cddb49"
     # @supplier: "OpenProject"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['13', '1', '1']
+
   openprojectBootstrap:
     # renovate:
     # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     tag: "1.1.3@sha256:401afe66c418fd130088edbed5cc3b4464dc667eb609f194ea68fd30dcbd1e90"
     # @supplier: "openDesk"
+
   openprojectInitDb:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=postgres
+    # upstreamRepository=library/postgres
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "library/postgres"
     tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
     # @supplier: "OpenProject"
+
   openxchangeBootstrap:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=alpine/k8s
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "alpine/k8s"
     tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
     # @supplier: "openDesk"
+
   openxchangeCoreGuidedtours:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -317,6 +360,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['8', '6', '0']
+
   openxchangeCoreMW:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -328,6 +372,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['8', '20', '51']
+
   openxchangeCoreUI:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -339,6 +384,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['8', '20', '1']
+
   openxchangeCoreUIMiddleware:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -350,6 +396,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['2', '0', '0']
+
   openxchangeCoreUserGuide:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -361,6 +408,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['8', '20', '799279']
+
   openxchangeDocumentConverter:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -372,6 +420,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['8', '20', '50']
+
   openxchangeGotenberg:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -379,10 +428,11 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
-    tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
+    tag: "8.0.3@sha256:1f4979e8cfde1c69f28c24604d19b3a11cf95c59b2a73db957c5af0a27a30ce8"
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['7', '9', '2']
+
   openxchangeGuardUI:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -394,6 +444,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['4', '2', '2']
+
   openxchangeImageConverter:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -405,6 +456,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['8', '20', '50']
+
   openxchangeNextcloudIntegrationUI:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -416,6 +468,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '2', '0']
+
   openxchangePublicSectorUI:
     # renovate:
     # upstreamRegistry=registry.open-xchange.com
@@ -427,6 +480,7 @@ images:
     # @supplier: "Open-Xchange"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['2', '2', '1']
+
   oxConnector:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -438,22 +492,27 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '4', '2']
+
   postfix:
     # renovate:
     # upstreamRegistry=registry.opencode.de
+    # upstreamRepository=bmi/opendesk/components/platform-development/images/postfix
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
     tag: "1.0.0@sha256:61e4661a7323101dfb51c85c5a48c345c75436f3f533176f049d2660d711a8a5"
     # @supplier: "openDesk"
+
   postgresql:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=library/postgres
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "library/postgres"
     tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
     # @supplier: "openDesk"
+
   prosody:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -465,6 +524,7 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^stable-(\d+)$'
     # @mirrorFrom: ['8922']
+
   redis:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -474,6 +534,7 @@ images:
     repository: "bitnami/redis"
     tag: "7.2.3-debian-11-r2@sha256:9ac3bbf7740969d32689e360ddcfa5f672538c47f6f6cf296173c3078de0edf2"
     # @supplier: "openDesk"
+
   synapse:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -485,14 +546,17 @@ images:
     # @supplier: "Element"
     # @mirrorFilter: '^v(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '91', '2']
+
   synapseCreateUser:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=alpine/k8s
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "alpine/k8s"
     tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
     # @supplier: "Nordeck"
+
   synapseGuestModule:
     # renovate:
     # upstreamRegistry=ghcr.io
@@ -504,25 +568,17 @@ images:
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '0', '0']
+
   synapseWeb:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=rapidfort/haproxy-official
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "rapidfort/haproxy-official"
     tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
     # @supplier: "Element"
-  umsConfigHtpasswd:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/config-htpasswd
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/config-htpasswd"
-    tag: "0.9.4@sha256:ba4f6fa2736a789c6c7413cc784bfadbeda1b3269fee29a871207f6f2ba2ee08"
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '4']
+
   umsDataLoader:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -534,6 +590,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '41', '5']
+
   umsGuardianAuthorizationApi:
     # renovate:
     # upstreamRegistry=docker.software-univention.de
@@ -545,6 +602,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '0', '0']
+
   umsGuardianManagementApi:
     # renovate:
     # upstreamRegistry=docker.software-univention.de
@@ -556,6 +614,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '0', '0']
+
   umsGuardianManagementUi:
     # renovate:
     # upstreamRegistry=docker.software-univention.de
@@ -567,6 +626,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '0', '0']
+
   umsKeycloak:
     # renovate:
     # upstreamRegistry=docker.software-univention.de
@@ -578,6 +638,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+).+$'
     # @mirrorFrom: ['22', '0', '3']
+
   umsKeycloakBootstrap:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -589,6 +650,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '0', '5']
+
   umsKeycloakExtensionHandler:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -596,10 +658,11 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.0.3@sha256:b27d76b1a397bc776b0b7e652e318fd707da4bbfba81908ed3a7ca866b2ee8cc"
+    tag: "0.2.0@sha256:ed3a391cb32b9bb9408a4b8e9839b6ee89cbab60149732cd51165a871a91c54d"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '0', '3']
+
   umsKeycloakExtensionProxy:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -607,10 +670,11 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.0.3@sha256:368c57fc4e730d2ad8e24b29f4c876f7e6dbd835a9913f5d0909159409cd5042"
+    tag: "0.2.0@sha256:8b924ab47771b9aee07384e3d13106406d49b1e7ef7fc46648adb1f0fb401327"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '0', '3']
+
   umsLdapNotifier:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -622,6 +686,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '8', '2']
+
   umsLdapServer:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -633,6 +698,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '8', '2']
+
   umsNotificationsApi:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -644,6 +710,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '9', '4']
+
   umsOpenPolicyAgent:
     # renovate:
     # upstreamRegistry=docker.software-univention.de
@@ -655,16 +722,19 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '0', '0']
+
   umsPortalFrontend:
     # renovate:
-    # registryUrl=https://registry.souvap-univention.de
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/images/univention/portal-frontend
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.9.4@sha256:97887159fc4a7febdf663761a65b7fac2eb7b99b6dd042c7d63ce6b254ea6fb9"
+    tag: "0.14.0@sha256:6f96a7479728e07c3d3311c85e1d14f7ef45f4d5bc5c9a008ce62203ef232f79"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '9', '4']
+
   umsPortalListener:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -672,10 +742,11 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.9.4@sha256:1e03db8153cbff0825c4370526d5d44a6b9b92c643b0e605d1bfc762ebac3a31"
+    tag: "0.14.0@sha256:5c86167d3a6ff7e85ff7e870596dd9864c1802b4f622c1f2378472744d4c4c34"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '9', '4']
+
   umsPortalServer:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -683,45 +754,77 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.9.4@sha256:47c825f83b61799b287b11cf5c548e05000c21e7d071d1f2095fbba4c952d84c"
+    tag: "0.14.0@sha256:d608db0692f9638e53101dabaf7749a9fbc29c316194f1977bd8986444f9f472"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '9', '4']
-  umsProvisioning:
+
+  umsProvisioningDispatcher:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatch
+    # upstreamRepository=souvap/tooling/images/univention/dispatcher
     # dependencyType=supplier
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatch"
-    tag: "0.4.0@sha256:43fda35f02cfa7c4c6aaa42e561858f7b0b80485370c1e393cef3a4b8d7715c0"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/dispatcher"
+    tag: "0.9.5@sha256:35bfe36c0f44070a514074804f740e9f3d60d2d1386757067d392bc2ebef9f84"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '4', '0']
+    # @mirrorFrom: ['0', '9', '5']
+
+  umsProvisioningEventsAndConsumerApi:
+    # renovate:
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/events-and-consumer-api"
+    tag: "0.9.5@sha256:e8e9c40ccad460e4c837b7c0108de04b1ab9faf4d385ffd280e5326731a3116b"
+    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '9', '5']
+
   umsProvisioningNats:
     # renovate:
-    # upstreamRegistry=docker.io
-    # upstreamRepository=nats
+    # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=library/nats
     # dependencyType=external
-    registry: "docker.io"
-    repository: "nats"
+    registry: "registry-1.docker.io"
+    repository: "library/nats"
     tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
+    # @supplier: "Univention"
+
   umsProvisioningNatsBox:
     # renovate:
-    # upstreamRegistry=docker.io
-    # upstreamRepository=nats
+    # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=natsio/nats-box
     # dependencyType=external
-    registry: "docker.io"
+    registry: "registry-1.docker.io"
     repository: "natsio/nats-box"
     tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
+    # @supplier: "Univention"
+
   umsProvisioningNatsReloader:
     # renovate:
-    # upstreamRegistry=docker.io
-    # upstreamRepository=nats
+    # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=natsio/nats-server-config-reloader
     # dependencyType=external
-    registry: "docker.io"
+    registry: "registry-1.docker.io"
     repository: "natsio/nats-server-config-reloader"
     tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
+    # @supplier: "Univention"
+
+  umsProvisioningUdmListener:
+    # renovate:
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/images/univention/udm-listener
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-listener"
+    tag: "0.9.5@sha256:4550913a415e0ab17701a4475f87461836b74546cb9a89d452ac607e5b5dfdfb"
+    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '9', '5']
+
   umsSelfserviceInvitation:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -733,6 +836,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '3', '2']
+
   umsSelfserviceListener:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -744,6 +848,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '3', '2']
+
   umsStackGateway:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
@@ -753,17 +858,7 @@ images:
     repository: "bitnami/nginx"
     tag: "1.25.3@sha256:40ce0d6b8f5fc174a4df8c59c8893164c540192ee862cb7253650a30d9dc3b73"
     # @supplier: "Univention"
-  umsStoreDav:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/store-dav
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/store-dav"
-    tag: "0.9.4@sha256:4a2c7675c15a244a3a8c002e030db425cdbe5cd7bf8c21ced4bac6f5252382bd"
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '4']
+
   umsUdmRestApi:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -775,6 +870,7 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '5', '2']
+
   umsUmcGateway:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -782,10 +878,11 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.7.3@sha256:e32cfe40cb0022d4084d89e9ae0367e559302c50d92223bd4c8905698141a3ef"
+    tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '7', '3']
+
   umsUmcServer:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -793,10 +890,11 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.7.3@sha256:4de1e4164cd442cfd2e9fe0d8cc144e73872a53f493a64d735f5c635715e1437"
+    tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '7', '3']
+
   umsWaitForDependency:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
@@ -804,18 +902,21 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.9.4@sha256:63451fe519d557e52d5f99e21231594daebb2990eb734931172ad61543c443cb"
+    tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '9', '4']
+
   wellKnown:
     # renovate:
     # upstreamRegistry=registry-1.docker.io
+    # upstreamRepository=library/nginx
     # dependencyType=external
     registry: "registry-1.docker.io"
     repository: "library/nginx"
     tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
     # @supplier: "Element"
+
   xwiki:
     # renovate:
     # upstreamRegistry=git.xwikisas.com:5050

helmfile/environments/default/objectstore.gotmpl

@@ -12,4 +12,12 @@ objectstores:
     secret: ""
     username: "openproject_user"
     useIAMProfile: ""
+  univentionManagementStack:
+    backend: "minio"
+    bucket: "ums"
+    endpoint: ""
+    region: ""
+    secret: ""
+    username: "ums_user"
+    useIAMProfile: ""
 ...

helmfile/environments/default/persistence.yaml

@@ -21,6 +21,5 @@ persistence:
       ldapServerShared: "1Gi"
       portalListener: "1Gi"
       selfserviceListener: "1Gi"
-      storeDav: "1Gi"
     xwiki: "1Gi"
 ...

helmfile/environments/default/resources.yaml

@@ -466,13 +466,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsStoreDav:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
   umsUdmRestApi:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -24,9 +24,6 @@ secrets:
       administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
       userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
       adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
-    storeDavUsers:
-      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
-      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
   postgresql:
     postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
     keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}

helmfile/environments/default/selinux.yaml

@@ -0,0 +1,95 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+#
+# Disclaimer:
+# We assume that you are very aware of what you are doing when working wih SELinux settings and that you can easily
+# break the affected components with these settings.
+---
+seLinuxOptions:
+  clamavSimple: ~
+  clamd: ~
+  collabora: ~
+  cryptpad: ~
+  dovecot: ~
+  element: ~
+  freshclam: ~
+  icap: ~
+  intercom: ~
+  # The Jibri Helm chart does not support setting the securityContext externally.
+  #jibri: ~
+  jicofo: ~
+  jitsi: ~
+  jitsiKeycloakAdapter: ~
+  jitsiPatchJVB: ~
+  jvb: ~
+  mariadb: ~
+  matrixNeoBoardWidget: ~
+  matrixNeoChoiceWidget: ~
+  matrixNeoDateFixBot: ~
+  matrixNeoDateFixWidget: ~
+  matrixUserVerificationService: ~
+  memcached: ~
+  milter: ~
+  minio: ~
+  nextcloudApache2: ~
+  nextcloudExporter: ~
+  nextcloudManagement: ~
+  nextcloudPHP: ~
+  opendeskKeycloakBootstrap: ~
+  openproject: ~
+  openprojectBootstrap: ~
+  openprojectInitDb: ~
+  openxchangeBootstrap: ~
+  openxchangeCoreGuidedtours: ~
+  openxchangeCoreMW: ~
+  openxchangeCoreUI: ~
+  openxchangeCoreUIMiddleware: ~
+  openxchangeCoreUserGuide: ~
+  openxchangeDocumentConverter: ~
+  openxchangeGotenberg: ~
+  openxchangeGuardUI: ~
+  openxchangeImageConverter: ~
+  openxchangeNextcloudIntegrationUI: ~
+  openxchangePublicSectorUI: ~
+  oxConnector: ~
+  postfix: ~
+  postgresql: ~
+  prosody: ~
+  redis: ~
+  synapse: ~
+  synapseCreateUser: ~
+  synapseGuestModule: ~
+  synapseWeb: ~
+  umsConfigHtpasswd: ~
+  umsDataLoader: ~
+  umsGuardianAuthorizationApi: ~
+  umsGuardianManagementApi: ~
+  umsGuardianManagementUi: ~
+  umsKeycloak: ~
+  umsKeycloakBootstrap: ~
+  umsKeycloakExtensionHandler: ~
+  umsKeycloakExtensionProxy: ~
+  umsLdapNotifier: ~
+  umsLdapServer: ~
+  umsNotificationsApi: ~
+  umsOpenPolicyAgent: ~
+  umsPortalFrontend: ~
+  umsPortalListener: ~
+  umsPortalServer: ~
+  umsProvisioningDispatcher: ~
+  umsProvisioningEventsAndConsumerApi: ~
+  umsProvisioningNats: ~
+  umsProvisioningNatsBox: ~
+  umsProvisioningNatsReloader: ~
+  umsProvisioningUdmListener: ~
+  umsSelfserviceInvitation: ~
+  umsSelfserviceListener: ~
+  umsStackGateway: ~
+  umsStoreDav: ~
+  umsUdmRestApi: ~
+  umsUmcGateway: ~
+  umsUmcServer: ~
+  umsWaitForDependency: ~
+  wellKnown: ~
+  xwiki: ~
+...

helmfile/environments/test/values.yaml.gotmpl

@@ -5,4 +5,26 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+persistence:
+  storageClassNames:
+    RWX: "kyverno-test"
+    RWO: "kyverno-test"
+  size:
+    clamav: "42Gi"
+    dovecot: "42Gi"
+    mariadb: "42Gi"
+    matrixNeoDateFixBot: "42Gi"
+    minio: "42Gi"
+    postfix: "42Gi"
+    postgresql: "42Gi"
+    prosody: "42Gi"
+    redis: "42Gi"
+    synapse: "42Gi"
+    univentionManagementStack:
+      ldapServerData: "42Gi"
+      ldapServerShared: "42Gi"
+      portalListener: "42Gi"
+      selfserviceListener: "42Gi"
+      storeDav: "42Gi"
+    xwiki: "42Gi"
 ...

helmfile/files/gpg-pubkeys/README.md

@@ -0,0 +1,6 @@
+# GPG public keys
+
+Place GPG public keys in binary format into this directory and reference them in the respective `helmfile.yaml`.
+
+In case you have only an ASCII Armored file you can just base64 decode the payload of that file, but remember to
+**not include** the 4-letter checksum that is prefixed with an `=` sign at the end of the payload.